Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/01/2025, 18:46 UTC
250103-xey6jaxpct 1003/01/2025, 18:36 UTC
250103-w9dyeazpck 1003/01/2025, 18:30 UTC
250103-w5lgpazmfq 1003/01/2025, 05:20 UTC
250103-f1hl8s1kfs 1003/01/2025, 05:16 UTC
250103-fx5mlatmck 1003/01/2025, 05:10 UTC
250103-ftrlkatldn 1003/01/2025, 05:08 UTC
250103-fsh8sstlap 1030/12/2024, 05:30 UTC
241230-f67tbazkdz 10Analysis
-
max time kernel
1s -
max time network
3s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/01/2025, 05:20 UTC
Static task
static1
Behavioral task
behavioral1
Sample
111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
Resource
win10v2004-20241007-en
General
-
Target
111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
-
Size
563KB
-
MD5
956c90a95e6e640f24d2fa8e03dbb145
-
SHA1
6ed330ad442c53c05ce48b306be888a97bf8c88c
-
SHA256
111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db
-
SHA512
c7051a4881bad5eba5d0039c3cb7f5eb0cfb6506f585dc0985ccb527439768ac5075564be43486ded5cc59d1aa4690a5052399f99108af5500cdeb611f8a6d48
-
SSDEEP
12288:JYO6Dqzihouxpa+yWz2qRPmZqaKS6gfb3e82flYDXCOEO:OO6DThou2+y02TZqa97b3effyXXt
Malware Config
Extracted
lumma
https://hummskitnj.buzz/api
https://cashfuzysao.buzz/api
https://appliacnesot.buzz/api
https://screwamusresz.buzz/api
https://inherineau.buzz/api
https://scentniej.buzz/api
https://rebuildeso.buzz/api
https://prisonyfork.buzz/api
https://mindhandru.buzz/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4512 set thread context of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79 PID 4512 wrote to memory of 4164 4512 111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4164
-
Network
-
Remote address:8.8.8.8:53Requestmindhandru.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestprisonyfork.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestrebuildeso.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestscentniej.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestinherineau.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestscrewamusresz.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestappliacnesot.buzzIN AResponse
-
Remote address:8.8.8.8:53Requestcashfuzysao.buzzIN AResponse
-
Remote address:8.8.8.8:53Requesthummskitnj.buzzIN AResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A104.82.234.109
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request109.234.82.104.in-addr.arpaIN PTRResponse109.234.82.104.in-addr.arpaIN PTRa104-82-234-109deploystaticakamaitechnologiescom
-
104.82.234.109:443steamcommunity.comtls111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe1.5kB 33.7kB 19 30
-
685 B 1.3kB 11 11
DNS Request
mindhandru.buzz
DNS Request
prisonyfork.buzz
DNS Request
rebuildeso.buzz
DNS Request
scentniej.buzz
DNS Request
inherineau.buzz
DNS Request
screwamusresz.buzz
DNS Request
appliacnesot.buzz
DNS Request
cashfuzysao.buzz
DNS Request
hummskitnj.buzz
DNS Request
steamcommunity.com
DNS Response
104.82.234.109
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
109.234.82.104.in-addr.arpa